From owner-trustedbsd-cvs@FreeBSD.ORG  Wed May 17 19:05:37 2006
Return-Path: <owner-trustedbsd-cvs@FreeBSD.ORG>
X-Original-To: trustedbsd-cvs@freebsd.org
Delivered-To: trustedbsd-cvs@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7CA4516BB96
	for <trustedbsd-cvs@freebsd.org>; Wed, 17 May 2006 19:05:37 +0000 (UTC)
	(envelope-from owner-perforce@freebsd.org)
Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AF0E243D48
	for <trustedbsd-cvs@freebsd.org>; Wed, 17 May 2006 19:05:35 +0000 (GMT)
	(envelope-from owner-perforce@freebsd.org)
Received: from mx2.freebsd.org (mx2.freebsd.org [216.136.204.119])
	by cyrus.watson.org (Postfix) with ESMTP id 4C1AB46D2B
	for <trustedbsd-cvs@trustedbsd.org>;
	Wed, 17 May 2006 15:05:34 -0400 (EDT)
Received: from hub.freebsd.org (hub.freebsd.org [216.136.204.18])
	by mx2.freebsd.org (Postfix) with ESMTP id E652A7309C;
	Wed, 17 May 2006 19:05:24 +0000 (GMT)
	(envelope-from owner-perforce@freebsd.org)
Received: by hub.freebsd.org (Postfix, from userid 32767)
	id 4E28716B0AD; Wed, 17 May 2006 19:05:23 +0000 (UTC)
X-Original-To: perforce@freebsd.org
Delivered-To: perforce@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 62B6916A66A
	for <perforce@freebsd.org>; Wed, 17 May 2006 19:05:22 +0000 (UTC)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1E63743D5C
	for <perforce@freebsd.org>; Wed, 17 May 2006 19:05:21 +0000 (GMT)
	(envelope-from millert@freebsd.org)
Received: from repoman.freebsd.org (localhost [127.0.0.1])
	by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id k4HJ4xsY044577
	for <perforce@freebsd.org>; Wed, 17 May 2006 19:04:59 GMT
	(envelope-from millert@freebsd.org)
Received: (from perforce@localhost)
	by repoman.freebsd.org (8.13.6/8.13.4/Submit) id k4HJ4xoS044574
	for perforce@freebsd.org; Wed, 17 May 2006 19:04:59 GMT
	(envelope-from millert@freebsd.org)
Date: Wed, 17 May 2006 19:04:59 GMT
Message-Id: <200605171904.k4HJ4xoS044574@repoman.freebsd.org>
X-Authentication-Warning: repoman.freebsd.org: perforce set sender to
	millert@freebsd.org using -f
From: Todd Miller <millert@FreeBSD.org>
To: Perforce Change Reviews <perforce@freebsd.org>
Cc: 
Subject: PERFORCE change 97366 for review
X-BeenThere: trustedbsd-cvs@FreeBSD.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: TrustedBSD CVS and Perforce commit message list
	<trustedbsd-cvs.FreeBSD.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-cvs>, 
	<mailto:trustedbsd-cvs-request@FreeBSD.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/trustedbsd-cvs>
List-Post: <mailto:trustedbsd-cvs@FreeBSD.org>
List-Help: <mailto:trustedbsd-cvs-request@FreeBSD.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/trustedbsd-cvs>,
	<mailto:trustedbsd-cvs-request@FreeBSD.org?subject=subscribe>
X-List-Received-Date: Wed, 17 May 2006 19:05:37 -0000

http://perforce.freebsd.org/chv.cgi?CH=97366

Change 97366 by millert@millert_ibook on 2006/05/17 19:04:33

	Properly label all tty and disk device nodes and add
	transitions for fsck, mount, etc.

Affected files ...

.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/devfs#3 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/rules#10 edit
.. //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/sebsd-relabel.sh#5 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/devfs#3 (text+ko) ====

@@ -9,6 +9,22 @@
 genfscon devfs /random		system_u:object_r:random_device_t
 genfscon devfs /urandom		system_u:object_r:random_device_t
 genfscon devfs /ttyp		system_u:object_r:devpts_t
+genfscon devfs /ttyq		system_u:object_r:devpts_t
+genfscon devfs /ttyr		system_u:object_r:devpts_t
+genfscon devfs /ttys		system_u:object_r:devpts_t
+genfscon devfs /ttyt		system_u:object_r:devpts_t
+genfscon devfs /ttyu		system_u:object_r:devpts_t
+genfscon devfs /ttyv		system_u:object_r:devpts_t
+genfscon devfs /ttyw		system_u:object_r:devpts_t
 genfscon devfs /ptyp		system_u:object_r:devpts_t
+genfscon devfs /ptyq		system_u:object_r:devpts_t
+genfscon devfs /ptyr		system_u:object_r:devpts_t
+genfscon devfs /ptys		system_u:object_r:devpts_t
+genfscon devfs /ptyt		system_u:object_r:devpts_t
+genfscon devfs /ptyu		system_u:object_r:devpts_t
+genfscon devfs /ptyv		system_u:object_r:devpts_t
+genfscon devfs /ptyw		system_u:object_r:devpts_t
+genfscon devfs /disk		system_u:object_r:disk_device_t
+#genfscon devfs /bpf		system_u:object_r:bpf_device_t
 
 # FLASK

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/rules#10 (text+ko) ====

@@ -32,6 +32,7 @@
 type sysadm_devpts_t;
 type tmpfs_t;
 type device_t;
+type disk_device_t;
 type memory_device_t;
 type null_device_t;
 type zero_device_t;
@@ -62,6 +63,7 @@
 type notifyd_d, domain, domain2;
 type mtest_d, domain, domain2;
 type diskarbitrationd_d, domain, domain2;
+type fsadm_d, domain, domain2;
 type configd_d, domain, domain2;
 
 type pbs_exec_t, file;
@@ -76,6 +78,7 @@
 type notifyd_exec_t, file;
 type mtest_exec_t, file;
 type diskarbitrationd_exec_t, file;
+type fsadm_exec_t, file;
 type configd_exec_t, file;
 
 role system_r types init_d;
@@ -97,6 +100,7 @@
 role system_r types notifyd_d;
 role system_r types mtest_d;
 role system_r types diskarbitrationd_d;
+role system_r types fsadm_d;
 role system_r types configd_d;
 role system_r types security_t;
 role system_r types unlabeled_t;
@@ -177,6 +181,8 @@
 allow domain2 file:{file lnk_file sock_file fifo_file} {create_file_perms execute };
 allow domain2 file:file execute_no_trans;
 allow domain2 file:dir { create_dir_perms };
+allow domain2 device_t:dir { read search getattr };
+allow domain2 {device_t disk_device_t}:{blk_file} { getattr };
 allow domain2 {null_device_t console_device_t memory_device_t random_device_t zero_device_t device_t}:{file chr_file} create_file_perms;
 allow domain2 device_t:blk_file create_file_perms;
 allow domain2 {devpts_t user_devpts_t sysadm_devpts_t}:chr_file create_file_perms;
@@ -212,6 +218,13 @@
 # Transitions for mtest
 domain_auto_trans(user_secret_d,mtest_exec_t,mtest_d);
 
+# Transitions for fsck*
+domain_auto_trans(init_d,fsadm_exec_t,fsadm_d);
+allow_mach_ipc(fsadm_d,mach_init_d);
+allow_mach_ipc(fsadm_d,unlabeled_t);
+allow fsadm_d device_t:dir { read search getattr };
+allow fsadm_d disk_device_t:blk_file { read write getattr };
+
 domain_auto_trans(systemstarter_d,windowserver_exec_t,windowserver_d);
 domain_auto_trans(systemstarter_d,securityserver_exec_t,securityserver_d);
 domain_auto_trans(systemstarter_d,coreservices_exec_t,coreservices_d);
@@ -325,6 +338,7 @@
 allow_mach_ipc(diskarbitrationd_d,lookupd_d);
 allow_mach_ipc(diskarbitrationd_d,securityserver_d);
 allow_mach_ipc(diskarbitrationd_d,systemstarter_d);
+allow diskarbitrationd_d disk_device_t:blk_file { read write getattr };
 
 # user_d rules
 allow_notify_ipc(user_d);

==== //depot/projects/trustedbsd/sedarwin7/src/sedarwin/policy/sebsd-relabel.sh#5 (text+ko) ====

@@ -12,6 +12,8 @@
 $SETFMAC sebsd/system_u:object_r:bin_t /bin/*
 $SETFMAC sebsd/system_u:object_r:bin_t /usr/bin/*
 $SETFMAC sebsd/system_u:object_r:bin_t /usr/local/bin/*
+$SETFMAC sebsd/system_u:object_r:fsadm_exec_t /sbin/fsck*
+$SETFMAC sebsd/system_u:object_r:fsadm_exec_t /sbin/mount*
 $SETFMAC sebsd/system_u:object_r:shell_exec_t /bin/*sh       
 $SETFMAC sebsd/system_u:object_r:login_exec_t /usr/bin/login
 $SETFMAC sebsd/system_u:object_r:sshd_exec_t /usr/sbin/sshd